YGS-2026

Discord Server DOI License: CC0-1.0

Non-crucial information on YGS-2026 malware family.

Organization members could refer to the YGS-2026-01 repository for more information about YGS-2026-01 and related YGS-2026-02.

More information will be publicly available after the agreement of CNCERT.

URGENT: Active C2 infrastructure detected. Victims wide spread in China. TSRC and CNCERT notified but unresponsive after more than 60 hours. Public disclosure might be needed.

UPDATE(2026-01-27 CST): Huorong Security Lab has confirmed that the threat is now contained; consequently, we are releasing our full investigation findings. While some materials in this repository contain data that could theoretically be leveraged for social engineering, we have verified that all such information is strictly limited to our isolated testing environment. Viewers could refer to the YGS-2026-01 repository for more information about YGS-2026-01 and related YGS-2026-02.

UPDATE(2026-01-29 CST): It seems that the Huorong Security Lab has only added the samples’ signature into their threat database and nothing more has been done; consequently, we will keep reporting.

UPDATE(2026-02-18 CST): As our reporting has failed to receive a substantive response, we are now proceeding with full public disclosure.